[TYPO3-dev] Idea for hardened TYPO3 BE-User-Accounts - Solution: no hardener
Christian Trabold
typo3 at christian-trabold.de
Fri Oct 26 10:51:10 CEST 2007
Hi Dmitry,
>> What about a new field in be_users which stores a value (the salt)
>> which is unique for the given TYPO3-Installation (eg
>> TYPO3-Encryption-Key).
>>
>> If a backend user logs into the backend this value is checked against
>> the current TYPO3-Encryption-Key.
>
> Than it should be not clear encryption key but md5($username, $encrkey).
> And remember about database keys. This query hits performance.
I reconsidered my idea and came to the conclusion, that it would not
harden anything...
Why? Well, if a hacker can fire SQL-Statements, it's easy to fire one
first SELECT-Statement to get the salt, which could be used in a second
run for an INSERT-Statement.
*Conclusion*
The very best way to harden TYPO3 is minding the coding guidelines [2]
and the TYPO3 Security Cookbook [2].
Greetings,
Christian
[1]http://typo3.org/documentation/document-library/core-documentation/doc_core_cgl/current/
[2]http://typo3.org/teams/security/
More information about the TYPO3-dev
mailing list